Does it deliver on what you say it can do? Check.
Have you thought through your marketing strategy? Check.
Does it look like app stores might be interested? Check.
Ready? Not so fast. There’s an indispensible step you may be overlooking. But there’s good news: The FTC has 12 tips to make that task easier.

The essential component is, of course, security. There’s no one-size-fits-all approach — different apps raise different considerations — but the FTC’s new publication, Mobile App Developers: Start with Security, has advice to help you offer users a more secure experience.

First things first. Before you get down to the nuts and bolts of data security, consider some suggestions on how to evaluate the ecosystem, including the use of cross-platform toolkits and the different kinds of functionality that could raise the security stakes for your app. Read the brochure for more detail, but here are a dozen hints about what you’ll find when you dive in:

1. Make someone responsible for security. Of course, if you’re running a solo operation, the buck stops with you.

2. Take stock of the data you collect and retain. Practice data minimization. Don’t collect or keep information you don’t need.

3. Understand differences between mobile platforms. Each mobile operations system uses different APIs and provides its own security features. Do your research and adapt your code accordingly.

4. Don’t rely on a platform alone to protect your users. Platforms may offer features to make security easier, but it’s up to you to understand them, use them properly, and explain them to your users in everyday language.

5. Generate credentials securely. If you create credentials for your user — say, usernames or passwords — do it securely. Of course, what’s appropriate for your app will depend on the kind of info that's involved.

6. Use transit encryption for usernames, passwords, and other important data. Let’s face it: People will probably use your app on unsecure Wi-Fi access points like coffee shops or airports. If your app transmits data best kept secure, use transit encryption.

7. Use due diligence on libraries and other third-party code. Third-party libraries can save time, but keep your ear to the ground. Does the library or SDK have known security vulnerabilities?

8. Consider protecting data you store on a user’s device. If your app handles personal info, think about protecting or obscuring data — for example, by using encryption.

9. Protect your servers, too. If you maintain a server that communicates with your app, take appropriate measures to protect it.

10. Don’t store passwords in plaintext. Consider using an iterated cryptographic hash function to hash passwords and then verify against those hash values. That way, if your server suffers a data breach, passwords aren’t left totally exposed.

11. You’re not done once you release your app. Stay aware and communicate with your users. New vulnerabilities arise daily and even the most reputable software libraries require security updates. Stay in the loop and have a plan for shipping security updates if needed. Watch your inbox in case users spot a problem first.

12. If you’re dealing with financial data, health data, or kids’ data, make sure you understand applicable standards and regulations. Are you up on COPPA, HIPAA, or GLB? If you’re dealing with certain sensitive information, those abbreviations need to be in your vocabulary.

One more consideration: Once you release an app, laws that apply to other marketers apply to you, too. Visit the BCP Business Center for more compliance tips. If you have clients in pps, send them the link to keep them clued in.

This FTC post makes it seem like all an app developer's customers all will be in the USA. Hardly likely. There are privacy requirements all over the world, and particularly in the European countries, that are more stringent than those of the USA. This Economist article can serve as an introduction to the topic: App developers can be held to account for privacy violation in any market in which they operate.

Add new comment

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.